<!DOCTYPE html>
<html>

<head>
  <title>Quarkus - Using OpenID Connect Multi-Tenancy</title>
  <script id="adobe_dtm" src="https://www.redhat.com/dtm.js" type="text/javascript"></script>
  <script src="/assets/javascript/highlight.pack.js" type="text/javascript"></script>
  <META HTTP-EQUIV='Content-Security-Policy' CONTENT="default-src 'none'; script-src 'self' 'unsafe-eval' 'sha256-ANpuoVzuSex6VhqpYgsG25OHWVA1I+F6aGU04LoI+5s=' 'sha256-ipy9P/3rZZW06mTLAR0EnXvxSNcnfSDPLDuh3kzbB1w=' js.bizographics.com https://www.redhat.com assets.adobedtm.com jsonip.com https://ajax.googleapis.com https://www.googletagmanager.com https://www.google-analytics.com https://use.fontawesome.com; style-src 'self' https://fonts.googleapis.com https://use.fontawesome.com; img-src 'self' *; media-src 'self' ; frame-src https://www.googletagmanager.com https://www.youtube.com; frame-ancestors 'none'; base-uri 'none'; object-src 'none'; form-action 'none'; font-src 'self' https://use.fontawesome.com https://fonts.gstatic.com;">
  <META HTTP-EQUIV='X-Frame-Options' CONTENT="DENY">
  <META HTTP-EQUIV='X-XSS-Protection' CONTENT="1; mode=block">
  <META HTTP-EQUIV='X-Content-Type-Options' CONTENT="nosniff">
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <meta name="description" content="Quarkus: Supersonic Subatomic Java">
  <meta name="twitter:card" content="summary_large_image">
  <meta name="twitter:site" content="@QuarkusIO"> 
  <meta name="twitter:creator" content="@QuarkusIO">
  <meta property="og:url" content="https://quarkus.io/guides/security-openid-connect-multitenancy" />
  <meta property="og:title" content="Quarkus - Using OpenID Connect Multi-Tenancy" />
  <meta property="og:description" content="Quarkus: Supersonic Subatomic Java" />
  <meta property="og:image" content="/assets/images/quarkus_card.png" />
  <link rel="canonical" href="https://quarkus.io/guides/security-openid-connect-multitenancy">
  <link rel="shortcut icon" type="image/png" href="/favicon.ico" >
  <link rel="stylesheet" href="https://quarkus.io/guides/stylesheet/config.css" />
  <link rel="stylesheet" href="/assets/css/main.css" />
  <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.1.0/css/all.css" integrity="sha384-lKuwvrZot6UHsBSfcMvOkWwlCMgc0TaWr+30HWe3a4ltaBwTZhyTEggF5tJv8tbt" crossorigin="anonymous">
  <link rel="alternate" type="application/rss+xml"  href="https://quarkus.io/feed.xml" title="Quarkus">
  <script src="https://quarkus.io/assets/javascript/goan.js" type="text/javascript"></script>
  <script src="https://quarkus.io/assets/javascript/hl.js" type="text/javascript"></script>
</head>

<body class="guides">
  <!-- Google Tag Manager (noscript) -->
  <noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-NJWS5L"
  height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
  <!-- End Google Tag Manager (noscript) -->

  <div class="nav-wrapper">
  <div class="grid-wrapper">
    <div class="width-12-12">
      <input type="checkbox" id="checkbox" />
      <nav id="main-nav" class="main-nav">
  <div class="container">
    <div class="logo-wrapper">
      
        <a href="/"><img src="/assets/images/quarkus_logo_horizontal_rgb_600px_reverse.png" class="project-logo" title="Quarkus"></a>
      
    </div>
    <label class="nav-toggle" for="checkbox">
      <i class="fa fa-bars"></i>
    </label>
    <div id="menu" class="menu">
      <span>
        <a href="/get-started/" class="">Get Started</a>
      </span>
      <span>
        <a href="/guides/" class="active">Guides</a>
      </span>
      <span>
        <a href="/community/" class="">Community</a>
      </span>
      <span>
        <a href="/support/" class="">Support</a>
      </span>
      <span>
        <a href="/blog/" class="">Blog</a>
      </span>
      <span>
        <a href="https://code.quarkus.io" class="button-cta secondary white">Start Coding</a>
      </span>
    </div>
  </div>
      </nav>
    </div>
  </div>
</div>

  <div class="content">
    <div class="guide">
  <div class="width-12-12">
    <h1 class="text-caps">Quarkus - Using OpenID Connect Multi-Tenancy</h1>
    <div class="hide-mobile toc"><ul class="sectlevel1">
<li><a href="#prerequisites">Prerequisites</a></li>
<li><a href="#architecture">Architecture</a></li>
<li><a href="#solution">Solution</a></li>
<li><a href="#creating-the-maven-project">Creating the Maven Project</a></li>
<li><a href="#writing-the-application">Writing the application</a></li>
<li><a href="#configuring-the-application">Configuring the application</a>
<ul class="sectlevel2">
<li><a href="#google-openid-provider-configuration">Google OpenID Provider Configuration</a></li>
</ul>
</li>
<li><a href="#starting-and-configuring-the-keycloak-server">Starting and Configuring the Keycloak Server</a></li>
<li><a href="#running-and-using-the-application">Running and Using the Application</a>
<ul class="sectlevel2">
<li><a href="#running-in-developer-mode">Running in Developer Mode</a></li>
<li><a href="#running-in-jvm-mode">Running in JVM Mode</a></li>
<li><a href="#running-in-native-mode">Running in Native Mode</a></li>
</ul>
</li>
<li><a href="#testing-the-application">Testing the Application</a></li>
<li><a href="#programmatically-resolving-tenants-configuration">Programmatically Resolving Tenants Configuration</a></li>
<li><a href="#disabling-tenant-configurations">Disabling Tenant Configurations</a></li>
<li><a href="#configuration-reference">Configuration Reference</a></li>
<li><a href="#references">References</a></li>
</ul></div>
    <div>
      <div id="preamble">
<div class="sectionbody">
<div class="paragraph">
<p>This guide demonstrates how your OpenID Connect application can support multi-tenancy so that you can serve multiple tenants from a single application. Tenants can be distinct realms or security domains within the same OpenID Provider or even distinct OpenID Providers.</p>
</div>
<div class="paragraph">
<p>When serving multiple customers from the same application (e.g.: SaaS), each customer is a tenant. By enabling multi-tenancy support to your applications you are allowed to also support distinct authentication policies for each tenant even though if that means authenticating against different OpenID Providers, such as Keycloak and Google.</p>
</div>
<div class="paragraph">
<p>Please read the <a href="security-openid-connect">Using OpenID Connect to Protect Service Applications</a> guide if you need to authorize a tenant using Bearer Token Authorization.</p>
</div>
<div class="paragraph">
<p>Please read the <a href="security-openid-connect-web-authentication">Using OpenID Connect to Protect Web Applications</a> guide if you need to authenticate and authorize a tenant using OpenId Connect Authorization Code Flow.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="prerequisites"><a class="anchor" href="#prerequisites"></a>Prerequisites</h2>
<div class="sectionbody">
<div class="paragraph">
<p>To complete this guide, you need:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>less than 15 minutes</p>
</li>
<li>
<p>an IDE</p>
</li>
<li>
<p>JDK 1.8+ installed with <code>JAVA_HOME</code> configured appropriately</p>
</li>
<li>
<p>Apache Maven 3.6.2+</p>
</li>
<li>
<p><a href="https://stedolan.github.io/jq/">jq tool</a></p>
</li>
<li>
<p>Docker</p>
</li>
</ul>
</div>
</div>
</div>
<div class="sect1">
<h2 id="architecture"><a class="anchor" href="#architecture"></a>Architecture</h2>
<div class="sectionbody">
<div class="paragraph">
<p>In this example, we build a very simple application which offers a single land page:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><code>/{tenant}</code></p>
</li>
</ul>
</div>
<div class="paragraph">
<p>The land page is served by a JAX-RS Resource and shows information obtained from the OpenID Provider about the authenticated user and the current tenant.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="solution"><a class="anchor" href="#solution"></a>Solution</h2>
<div class="sectionbody">
<div class="paragraph">
<p>We recommend that you follow the instructions in the next sections and create the application step by step.
However, you can go right to the completed example.</p>
</div>
<div class="paragraph">
<p>Clone the Git repository: <code>git clone <a href="https://github.com/quarkusio/quarkus-quickstarts.git" class="bare">https://github.com/quarkusio/quarkus-quickstarts.git</a></code>, or download an <a href="https://github.com/quarkusio/quarkus-quickstarts/archive/master.zip">archive</a>.</p>
</div>
<div class="paragraph">
<p>The solution is located in the <code>security-openid-connect-multi-tenancy</code> <a href="https://github.com/quarkusio/quarkus-quickstarts/tree/master/security-openid-connect-multi-tenancy">directory</a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="creating-the-maven-project"><a class="anchor" href="#creating-the-maven-project"></a>Creating the Maven Project</h2>
<div class="sectionbody">
<div class="paragraph">
<p>First, we need a new project. Create a new project with the following command:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code class="language-none hljs">mvn io.quarkus:quarkus-maven-plugin:1.7.0.Final:create \
    -DprojectGroupId=org.acme \
    -DprojectArtifactId=security-openid-connect-multi-tenancy \
    -Dextensions="oidc, resteasy-jsonb"
cd security-openid-connect-multi-tenancy</code></pre>
</div>
</div>
<div class="paragraph">
<p>If you already have your Quarkus project configured, you can add the <code>oidc</code> extension
to your project by running the following command in your project base directory:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">./mvnw quarkus:add-extension -Dextensions="oidc"</code></pre>
</div>
</div>
<div class="paragraph">
<p>This will add the following to your <code>pom.xml</code>:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="xml" class="language-xml hljs">&lt;dependency&gt;
    &lt;groupId&gt;io.quarkus&lt;/groupId&gt;
    &lt;artifactId&gt;quarkus-oidc&lt;/artifactId&gt;
&lt;/dependency&gt;</code></pre>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="writing-the-application"><a class="anchor" href="#writing-the-application"></a>Writing the application</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Let&#8217;s start by implementing the <code>/{tenant}</code> endpoint. As you can see from the source code below it is just a regular JAX-RS resource:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">package org.acme.quickstart.oidc;

import javax.inject.Inject;
import javax.ws.rs.GET;
import javax.ws.rs.Path;

import org.eclipse.microprofile.jwt.JsonWebToken;

import io.quarkus.oidc.IdToken;

@Path("/{tenant}")
public class HomeResource {

    /**
     * Injection point for the ID Token issued by the OpenID Connect Provider
     */
    @Inject
    @IdToken
    JsonWebToken idToken;

    /**
     * Returns the tokens available to the application. This endpoint exists only for demonstration purposes, you should not
     * expose these tokens in a real application.
     *
     * @return the landing page HTML
     */
    @GET
    public String getHome() {
        StringBuilder response = new StringBuilder().append("&lt;html&gt;").append("&lt;body&gt;");

        response.append("&lt;h2&gt;Welcome, ").append(this.idToken.getClaim("email").toString()).append("&lt;/h2&gt;\n");
        response.append("&lt;h3&gt;You are accessing the application within tenant &lt;b&gt;").append(idToken.getIssuer()).append(" boundaries&lt;/b&gt;&lt;/h3&gt;");

        return response.append("&lt;/body&gt;").append("&lt;/html&gt;").toString();
    }
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>In order to resolve the tenant from incoming requests and map it to a specific <code>quarkus-oidc</code> tenant configuration in application.properties, you need to create an implementation for the <code>io.quarkus.oidc.TenantResolver</code> interface.</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">package org.acme.quickstart.oidc;

import javax.enterprise.context.ApplicationScoped;

import io.quarkus.oidc.TenantResolver;
import io.vertx.ext.web.RoutingContext;

@ApplicationScoped
public class CustomTenantResolver implements TenantResolver {

    @Override
    public String resolve(RoutingContext context) {
        String path = context.request().path();
        String[] parts = path.split("/");

        if (parts.length == 0) {
            // resolve to default tenant configuration
            return null;
        }

        return parts[1];
    }
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>From the implementation above, tenants are resolved from the request path so that in case no tenant could be inferred, <code>null</code> is returned to indicate that the default tenant configuration should be used.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="configuring-the-application"><a class="anchor" href="#configuring-the-application"></a>Configuring the application</h2>
<div class="sectionbody">
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="properties" class="language-properties hljs"># Default Tenant Configuration
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=multi-tenant-client
quarkus.oidc.application-type=web-app

# Tenant A Configuration
quarkus.oidc.tenant-a.auth-server-url=http://localhost:8180/auth/realms/tenant-a
quarkus.oidc.tenant-a.client-id=multi-tenant-client
quarkus.oidc.tenant-a.application-type=web-app

# HTTP Security Configuration
quarkus.http.auth.permission.authenticated.paths=/*
quarkus.http.auth.permission.authenticated.policy=authenticated</code></pre>
</div>
</div>
<div class="paragraph">
<p>The first configuration is the default tenant configuration that should be used when the tenant can not be inferred from the request. This configuration is using a Keycloak instance to authenticate users.</p>
</div>
<div class="paragraph">
<p>The second configuration is the configuration that will be used when an incoming request is mapped to the tenant <code>tenant-a</code>.</p>
</div>
<div class="paragraph">
<p>Note that both configurations map to the same Keycloak server instance while using distinct <code>realms</code>.</p>
</div>
<div class="paragraph">
<p>You can define multiple tenants in your configuration file, just make sure they have a unique alias so that you can map them properly when resolving a tenant from your <code>TenantResolver</code> implementation.</p>
</div>
<div class="sect2">
<h3 id="google-openid-provider-configuration"><a class="anchor" href="#google-openid-provider-configuration"></a>Google OpenID Provider Configuration</h3>
<div class="paragraph">
<p>In order to set-up the <code>tenant-a</code> configuration to use Google OpenID Provider, you need to create a project as described <a href="https://developers.google.com/identity/protocols/OpenIDConnect">here</a>.</p>
</div>
<div class="paragraph">
<p>Once you create the project and have your project&#8217;s <code>client_id</code> and <code>client_secret</code>, you can try to configure a tenant as follows:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="properties" class="language-properties hljs"># Tenant configuration using Google OpenID Provider
quarkus.oidc.tenant-b.auth-server-url=https://accounts.google.com
quarkus.oidc.tenant-b.application-type=web-app
quarkus.oidc.tenant-b.client-id={GOOGLE_CLIENT_ID}
quarkus.oidc.tenant-b.credentials.secret={GOOGLE_CLIENT_SECRET}
quarkus.oidc.tenant-b.token.issuer=https://accounts.google.com
quarkus.oidc.tenant-b.authentication.scopes=email,profile,openid</code></pre>
</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="starting-and-configuring-the-keycloak-server"><a class="anchor" href="#starting-and-configuring-the-keycloak-server"></a>Starting and Configuring the Keycloak Server</h2>
<div class="sectionbody">
<div class="paragraph">
<p>To start a Keycloak Server you can use Docker and just run the following command:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">docker run --name keycloak -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin -p 8180:8080 {keycloak-docker-image}</code></pre>
</div>
</div>
<div class="paragraph">
<p>You should be able to access your Keycloak Server at <a href="http://localhost:8180/auth">localhost:8180/auth</a>.</p>
</div>
<div class="paragraph">
<p>Log in as the <code>admin</code> user to access the Keycloak Administration Console. Username should be <code>admin</code> and password <code>admin</code>.</p>
</div>
<div class="paragraph">
<p>Now, follow the steps below to import the realms for the two tenants:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Import the <a href="https://github.com/quarkusio/quarkus-quickstarts/tree/master/security-openid-connect-multi-tenancy/config/default-tenant-realm.json">default-tenant-realm.json</a> to create the default realm</p>
</li>
<li>
<p>Import the <a href="https://github.com/quarkusio/quarkus-quickstarts/tree/master/security-openid-connect-multi-tenancy/config/tenant-a-realm.json">tenant-a-realm.json</a> to create the realm for the tenant <code>tenant-a</code>.</p>
</li>
</ul>
</div>
<div class="paragraph">
<p>For more details, see the Keycloak documentation about how to <a href="https://www.keycloak.org/docs/latest/server_admin/index.html#_create-realm">create a new realm</a>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="running-and-using-the-application"><a class="anchor" href="#running-and-using-the-application"></a>Running and Using the Application</h2>
<div class="sectionbody">
<div class="sect2">
<h3 id="running-in-developer-mode"><a class="anchor" href="#running-in-developer-mode"></a>Running in Developer Mode</h3>
<div class="paragraph">
<p>To run the microservice in dev mode, use <code>./mvnw clean compile quarkus:dev</code>.</p>
</div>
</div>
<div class="sect2">
<h3 id="running-in-jvm-mode"><a class="anchor" href="#running-in-jvm-mode"></a>Running in JVM Mode</h3>
<div class="paragraph">
<p>When you&#8217;re done playing with "dev-mode" you can run it as a standard Java application.</p>
</div>
<div class="paragraph">
<p>First compile it:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">./mvnw package</code></pre>
</div>
</div>
<div class="paragraph">
<p>Then run it:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">java -jar ./target/security-openid-connect-multi-tenancy-quickstart-runner.jar</code></pre>
</div>
</div>
</div>
<div class="sect2">
<h3 id="running-in-native-mode"><a class="anchor" href="#running-in-native-mode"></a>Running in Native Mode</h3>
<div class="paragraph">
<p>This same demo can be compiled into native code: no modifications required.</p>
</div>
<div class="paragraph">
<p>This implies that you no longer need to install a JVM on your
production environment, as the runtime technology is included in
the produced binary, and optimized to run with minimal resource overhead.</p>
</div>
<div class="paragraph">
<p>Compilation will take a bit longer, so this step is disabled by default;
let&#8217;s build again by enabling the <code>native</code> profile:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">./mvnw package -Pnative</code></pre>
</div>
</div>
<div class="paragraph">
<p>After getting a cup of coffee, you&#8217;ll be able to run this binary directly:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="bash" class="language-bash hljs">./target/security-openid-connect-multi-tenancy-quickstart-runner</code></pre>
</div>
</div>
</div>
</div>
</div>
<div class="sect1">
<h2 id="testing-the-application"><a class="anchor" href="#testing-the-application"></a>Testing the Application</h2>
<div class="sectionbody">
<div class="paragraph">
<p>To test the application, you should open your browser and access the following URL:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><a href="http://localhost:8080/default">http://localhost:8080/default</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p>If everything is working as expected, you should be redirected to the Keycloak server to authenticate. Note that the requested path
defines a <code>default</code> tenant which we don&#8217;t have mapped in the configuration file. In this case, the default configuration will be used.</p>
</div>
<div class="paragraph">
<p>In order to authenticate to the application you should type the following credentials when at the Keycloak login page:</p>
</div>
<div class="ulist">
<ul>
<li>
<p>Username: <strong>alice</strong></p>
</li>
<li>
<p>Password: <strong>alice</strong></p>
</li>
</ul>
</div>
<div class="paragraph">
<p>After clicking the <code>Login</code> button you should be redirected back to the application.</p>
</div>
<div class="paragraph">
<p>If you try now to access the application at the following URL:</p>
</div>
<div class="ulist">
<ul>
<li>
<p><a href="http://localhost:8080/tenant-a">http://localhost:8080/tenant-a</a></p>
</li>
</ul>
</div>
<div class="paragraph">
<p>You should be redirected again to the login page at Keycloak. However, now you are going to authenticate using a different <code>realm</code>.</p>
</div>
<div class="paragraph">
<p>In both cases, if the user is successfully authenticated, the landing page will show the user&#8217;s name and e-mail. Even though
user <code>alice</code> exists in both tenants, for the application they are distinct users belonging to different realms/tenants.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="programmatically-resolving-tenants-configuration"><a class="anchor" href="#programmatically-resolving-tenants-configuration"></a>Programmatically Resolving Tenants Configuration</h2>
<div class="sectionbody">
<div class="paragraph">
<p>If you need a more dynamic configuration for the different tenants you want to support and don&#8217;t want to end up with multiple
entries in your configuration file, you can use the <code>io.quarkus.oidc.TenantConfigResolver</code>.</p>
</div>
<div class="paragraph">
<p>This interface allows you to dynamically create tenant configurations at runtime:</p>
</div>
<div class="listingblock">
<div class="content">
<pre class="highlightjs highlight"><code data-lang="java" class="language-java hljs">package io.quarkus.it.keycloak;

import javax.enterprise.context.ApplicationScoped;

import io.quarkus.oidc.TenantConfigResolver;
import io.quarkus.oidc.runtime.OidcTenantConfig;
import io.vertx.ext.web.RoutingContext;

@ApplicationScoped
public class CustomTenantConfigResolver implements TenantConfigResolver {

    @Override
    public OidcTenantConfig resolve(RoutingContext context) {
        String path = context.request().path();
        String[] parts = path.split("/");

        if (parts.length == 0) {
            // resolve to default tenant configuration
            return null;
        }

        if ("tenant-c".equals(parts[1])) {
            OidcTenantConfig config = new OidcTenantConfig();

            config.setTenantId("tenant-c");
            config.setAuthServerUrl("http://localhost:8180/auth/realms/tenant-c");
            config.setClientId("multi-tenant-client");
            OidcTenantConfig.Credentials credentials = new OidcTenantConfig.Credentials();

            credentials.setSecret("my-secret");

            config.setCredentials(credentials);

            // any other setting support by the quarkus-oidc extension

            return config;
        }

        // resolve to default tenant configuration
        return null;
    }
}</code></pre>
</div>
</div>
<div class="paragraph">
<p>The <code>OidcTenantConfig</code> returned from this method is the same used to parse the <code>oidc</code> namespace configuration from the <code>application.properties</code>. You can populate it using any of the settings supported by the <code>quarkus-oidc</code> extension.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="disabling-tenant-configurations"><a class="anchor" href="#disabling-tenant-configurations"></a>Disabling Tenant Configurations</h2>
<div class="sectionbody">
<div class="paragraph">
<p>Custom <code>TenantResolver</code> and <code>TenantConfigResolver</code> implementations may return <code>null</code> if no tenant can be inferred from the current request and a fallback to the default tenant configuration is required.</p>
</div>
<div class="paragraph">
<p>If it is expected that the custom resolvers will always infer a tenant then the default tenant configuration is not needed. One can disable it with the <code>quarkus.oidc.tenant-enabled=false</code> setting.</p>
</div>
<div class="paragraph">
<p>Note that tenant specific configurations can also be disabled, for example: <code>quarkus.oidc.tenant-a.tenant-enabled=false</code>.</p>
</div>
</div>
</div>
<div class="sect1">
<h2 id="configuration-reference"><a class="anchor" href="#configuration-reference"></a>Configuration Reference</h2>
<div class="sectionbody">
<div class="paragraph configuration-legend">
<p><span class="icon"><i class="fa fa-lock" title="Fixed at build time"></i></span> Configuration property fixed at build time - All other configuration properties are overridable at runtime</p>
</div>
<table class="tableblock frame-all grid-all stretch configuration-reference searchable">
<colgroup>
<col style="width: 80%;">
<col style="width: 10%;">
<col style="width: 10%;">
</colgroup>
<tbody>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock"><a id="quarkus-oidc_configuration"></a><a href="#quarkus-oidc_configuration">Configuration property</a></p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Type</p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Default</p></th>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><span class="icon"><i class="fa fa-lock" title="Fixed at build time"></i></span> <a id="quarkus-oidc_quarkus.oidc.enabled"></a><code><a href="#quarkus-oidc_quarkus.oidc.enabled">quarkus.oidc.enabled</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If the OIDC extension is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.tenant-id"></a><code><a href="#quarkus-oidc_quarkus.oidc.tenant-id">quarkus.oidc.tenant-id</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>A unique tenant identifier. It must be set by <code>TenantConfigResolver</code> providers which resolve the tenant configuration dynamically and is optional in all other cases.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.tenant-enabled"></a><code><a href="#quarkus-oidc_quarkus.oidc.tenant-enabled">quarkus.oidc.tenant-enabled</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this tenant configuration is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.application-type"></a><code><a href="#quarkus-oidc_quarkus.oidc.application-type">quarkus.oidc.application-type</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The application type, which can be one of the following values from enum <code>ApplicationType</code>.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>web-app</code>, <code>service</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>service</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.auth-server-url"></a><code><a href="#quarkus-oidc_quarkus.oidc.auth-server-url">quarkus.oidc.auth-server-url</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The base URL of the OpenID Connect (OIDC) server, for example, 'https://host:port/auth'. OIDC discovery endpoint will be called by default by appending a '.well-known/openid-configuration' path to this URL. Note if you work with Keycloak OIDC server, make sure the base URL is in the following format: 'https://host:port/auth/realms/{realm}' where '{realm}' has to be replaced by the name of the Keycloak realm.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.discovery-enabled"></a><code><a href="#quarkus-oidc_quarkus.oidc.discovery-enabled">quarkus.oidc.discovery-enabled</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Enables OIDC discovery. If the discovery is disabled then the following properties must be configured: - 'authorization-path' and 'token-path' for the 'web-app' applications - 'jwks-path' or 'introspection-path' for both the 'web-app' and 'service' applications
 'web-app' applications may also have 'user-info-path' and 'end-session-path' properties configured.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authorization-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.authorization-path">quarkus.oidc.authorization-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC authorization endpoint which authenticates the users. This property must be set for the 'web-app' applications if OIDC discovery is disabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.token-path">quarkus.oidc.token-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC token endpoint which issues ID, access and refresh tokens. This property must be set for the 'web-app' applications if OIDC discovery is disabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.user-info-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.user-info-path">quarkus.oidc.user-info-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC userinfo endpoint. This property must only be set for the 'web-app' applications if OIDC discovery is disabled and 'authentication.user-info-required' property is enabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.introspection-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.introspection-path">quarkus.oidc.introspection-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JWT tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens have to be verified or 2) JWT tokens have to be verified while the cached JWK verification set with no matching JWK is being refreshed. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.jwks-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.jwks-path">quarkus.oidc.jwks-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC JWKS endpoint which returns a JSON Web Key Verification Set. This property should be set if OIDC discovery is disabled and the local JWT verification is required. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.end-session-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.end-session-path">quarkus.oidc.end-session-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the 'web-app' applications is required. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.connection-delay"></a><code><a href="#quarkus-oidc_quarkus.oidc.connection-delay">quarkus.oidc.connection-delay</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The maximum amount of time the adapter will try connecting to the currently unavailable OIDC server for. For example, setting it to '20S' will let the adapter keep requesting the connection for up to 20 seconds.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html">Duration</a>
  <a href="#duration-note-anchor" title="More information about the Duration format"><span class="icon"><i class="fa fa-question-circle"></i></span></a></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.public-key"></a><code><a href="#quarkus-oidc_quarkus.oidc.public-key">quarkus.oidc.public-key</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Public key for the local JWT token verification. OIDC server connection will not be created when this property is set.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.client-id"></a><code><a href="#quarkus-oidc_quarkus.oidc.client-id">quarkus.oidc.client-id</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The client-id of the application. Each application has a client-id that is used to identify the application</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.roles.role-claim-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.roles.role-claim-path">quarkus.oidc.roles.role-claim-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Path to the claim containing an array of groups. It starts from the top level JWT JSON object and can contain multiple segments where each segment represents a JSON object name only, example: "realm/groups". Use double quotes with the namespace qualified claim names. This property can be used if a token has no 'groups' claim but has the groups set in a different claim.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.roles.role-claim-separator"></a><code><a href="#quarkus-oidc_quarkus.oidc.roles.role-claim-separator">quarkus.oidc.roles.role-claim-separator</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Separator for splitting a string which may contain multiple group values. It will only be used if the "role-claim-path" property points to a custom claim whose value is a string. A single space will be used by default because the standard 'scope' claim may contain a space separated sequence.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.roles.source"></a><code><a href="#quarkus-oidc_quarkus.oidc.roles.source">quarkus.oidc.roles.source</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Source of the principal roles.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>idtoken</code>, <code>accesstoken</code>, <code>userinfo</code></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.issuer"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.issuer">quarkus.oidc.token.issuer</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected issuer 'iss' claim value.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.audience"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.audience">quarkus.oidc.token.audience</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected audience 'aud' claim value which may be a string or an array of strings.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">list of string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.token-type"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.token-type">quarkus.oidc.token.token-type</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected token type</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.lifespan-grace"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.lifespan-grace">quarkus.oidc.token.lifespan-grace</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.principal-claim"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.principal-claim">quarkus.oidc.token.principal-claim</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Name of the claim which contains a principal name. By default, the 'upn', 'preferred_username' and <code>sub</code> claims are checked.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.refresh-expired"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.refresh-expired">quarkus.oidc.token.refresh-expired</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Refresh expired ID tokens. If this property is enabled then a refresh token request is performed and, if successful, the local session is updated with the new set of tokens. Otherwise, the local session is invalidated as an indication that the session at the OpenID Provider no longer exists. This option is only valid when the application is of type <code>ApplicationType#WEB_APP</code>}.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.token.forced-jwk-refresh-interval"></a><code><a href="#quarkus-oidc_quarkus.oidc.token.forced-jwk-refresh-interval">quarkus.oidc.token.forced-jwk-refresh-interval</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Forced JWK set refresh interval in minutes.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html">Duration</a>
  <a href="#duration-note-anchor" title="More information about the Duration format"><span class="icon"><i class="fa fa-question-circle"></i></span></a></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>10M</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.credentials.secret"></a><code><a href="#quarkus-oidc_quarkus.oidc.credentials.secret">quarkus.oidc.credentials.secret</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Client secret which is used for a 'client_secret_basic' authentication method. Note that a 'client-secret.value' can be used instead but both properties are mutually exclusive.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.credentials.client-secret.value"></a><code><a href="#quarkus-oidc_quarkus.oidc.credentials.client-secret.value">quarkus.oidc.credentials.client-secret.value</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The client secret</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.credentials.client-secret.method"></a><code><a href="#quarkus-oidc_quarkus.oidc.credentials.client-secret.method">quarkus.oidc.credentials.client-secret.method</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Authentication method.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>basic</code>, <code>post</code></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.credentials.jwt.secret"></a><code><a href="#quarkus-oidc_quarkus.oidc.credentials.jwt.secret">quarkus.oidc.credentials.jwt.secret</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>client_secret_jwt: JWT which includes client id as one of its claims is signed by the client secret and is submitted as a 'client_assertion' form parameter, while 'client_assertion_type' parameter is set to "urn:ietf:params:oauth:client-assertion-type:jwt-bearer".</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.credentials.jwt.lifespan"></a><code><a href="#quarkus-oidc_quarkus.oidc.credentials.jwt.lifespan">quarkus.oidc.credentials.jwt.lifespan</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>JWT life-span in seconds. It will be added to the time it was issued at to calculate the expiration time.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>10</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.proxy.host"></a><code><a href="#quarkus-oidc_quarkus.oidc.proxy.host">quarkus.oidc.proxy.host</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The host (name or IP address) of the Proxy.
 Note: If OIDC adapter needs to use a Proxy to talk with OIDC server (Provider), then at least the "host" config item must be configured to enable the usage of a Proxy.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.proxy.port"></a><code><a href="#quarkus-oidc_quarkus.oidc.proxy.port">quarkus.oidc.proxy.port</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The port number of the Proxy. Default value is 80.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>80</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.proxy.username"></a><code><a href="#quarkus-oidc_quarkus.oidc.proxy.username">quarkus.oidc.proxy.username</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The username, if Proxy needs authentication.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.proxy.password"></a><code><a href="#quarkus-oidc_quarkus.oidc.proxy.password">quarkus.oidc.proxy.password</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The password, if Proxy needs authentication.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.redirect-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.redirect-path">quarkus.oidc.authentication.redirect-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path for calculating a "redirect_uri" query parameter. It has to start from a forward slash and will be appended to the request URI&#8217;s host and port. For example, if the current request URI is 'https://localhost:8080/service' then a 'redirect_uri' parameter will be set to 'https://localhost:8080/' if this property is set to '/' and be the same as the request URI if this property has not been configured. Note the original request URI will be restored after the user has authenticated.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.restore-path-after-redirect"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.restore-path-after-redirect">quarkus.oidc.authentication.restore-path-after-redirect</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then the original request URI which was used before the authentication will be restored after the user has been redirected back to the application.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.remove-redirect-parameters"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.remove-redirect-parameters">quarkus.oidc.authentication.remove-redirect-parameters</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Remove the query parameters such as 'code' and 'state' set by the OIDC server on the redirect URI after the user has authenticated by redirecting a user to the same URI but without the query parameters.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.verify-access-token"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.verify-access-token">quarkus.oidc.authentication.verify-access-token</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Both ID and access tokens are verified as part of the authorization code flow and every time these tokens are retrieved from the user session. One should disable the access token verification if it is only meant to be propagated to the downstream services. Note the ID token will always be verified.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.force-redirect-https-scheme"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.force-redirect-https-scheme">quarkus.oidc.authentication.force-redirect-https-scheme</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Force 'https' as the 'redirect_uri' parameter scheme when running behind an SSL terminating reverse proxy. This property, if enabled, will also affect the logout <code>post_logout_redirect_uri</code> and the local redirect requests.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.scopes"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.scopes">quarkus.oidc.authentication.scopes</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>List of scopes</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">list of string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.cookie-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.cookie-path">quarkus.oidc.authentication.cookie-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Cookie path parameter value which, if set, will be used for the session and state cookies. It may need to be set when the redirect path has a root different to that of the original request URL.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.user-info-required"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.user-info-required">quarkus.oidc.authentication.user-info-required</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then an OIDC UserInfo endpoint will be called</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.xhr-auto-redirect"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.xhr-auto-redirect">quarkus.oidc.authentication.xhr-auto-redirect</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then a normal 302 redirect response will be returned if the request was initiated via XMLHttpRequest and the current user needs to be (re)authenticated which may not be desirable for Single Page Applications since XMLHttpRequest automatically following the redirect may not work given that OIDC authorization endpoints typically do not support CORS. If this property is set to <code>false</code> then a status code of '499' will be returned to allow the client to handle the redirect manually</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.tls.verification"></a><code><a href="#quarkus-oidc_quarkus.oidc.tls.verification">quarkus.oidc.tls.verification</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Certificate validation and hostname verification, which can be one of the following values from enum <code>Verification</code>. Default is required.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>required</code>, <code>none</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>required</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.logout.path"></a><code><a href="#quarkus-oidc_quarkus.oidc.logout.path">quarkus.oidc.logout.path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.logout.post-logout-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.logout.post-logout-path">quarkus.oidc.logout.post-logout-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the application endpoint where the user should be redirected to after logging out from the OpenID Connect Provider. This endpoint URI must be properly registered at the OpenID Connect Provider as a valid redirect URI.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.authentication.extra-params-extra-params"></a><code><a href="#quarkus-oidc_quarkus.oidc.authentication.extra-params-extra-params">quarkus.oidc.authentication.extra-params</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Additional properties which will be added as the query parameters to the authentication redirect URI.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>Map&lt;String,String&gt;</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">required <span class="icon"><i class="fa fa-exclamation-circle" title="Configuration property is required"></i></span></p></td>
</tr>
<tr>
<th class="tableblock halign-left valign-top"><p class="tableblock"><a id="quarkus-oidc_quarkus.oidc.named-tenants"></a><a href="#quarkus-oidc_quarkus.oidc.named-tenants">Additional named tenants</a></p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Type</p></th>
<th class="tableblock halign-left valign-middle"><p class="tableblock">Default</p></th>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.tenant-id"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.tenant-id">quarkus.oidc."tenant".tenant-id</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>A unique tenant identifier. It must be set by <code>TenantConfigResolver</code> providers which resolve the tenant configuration dynamically and is optional in all other cases.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.tenant-enabled"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.tenant-enabled">quarkus.oidc."tenant".tenant-enabled</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this tenant configuration is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.application-type"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.application-type">quarkus.oidc."tenant".application-type</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The application type, which can be one of the following values from enum <code>ApplicationType</code>.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>web-app</code>, <code>service</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>service</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.auth-server-url"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.auth-server-url">quarkus.oidc."tenant".auth-server-url</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The base URL of the OpenID Connect (OIDC) server, for example, 'https://host:port/auth'. OIDC discovery endpoint will be called by default by appending a '.well-known/openid-configuration' path to this URL. Note if you work with Keycloak OIDC server, make sure the base URL is in the following format: 'https://host:port/auth/realms/{realm}' where '{realm}' has to be replaced by the name of the Keycloak realm.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.discovery-enabled"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.discovery-enabled">quarkus.oidc."tenant".discovery-enabled</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Enables OIDC discovery. If the discovery is disabled then the following properties must be configured: - 'authorization-path' and 'token-path' for the 'web-app' applications - 'jwks-path' or 'introspection-path' for both the 'web-app' and 'service' applications
 'web-app' applications may also have 'user-info-path' and 'end-session-path' properties configured.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authorization-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authorization-path">quarkus.oidc."tenant".authorization-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC authorization endpoint which authenticates the users. This property must be set for the 'web-app' applications if OIDC discovery is disabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token-path">quarkus.oidc."tenant".token-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC token endpoint which issues ID, access and refresh tokens. This property must be set for the 'web-app' applications if OIDC discovery is disabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.user-info-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.user-info-path">quarkus.oidc."tenant".user-info-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC userinfo endpoint. This property must only be set for the 'web-app' applications if OIDC discovery is disabled and 'authentication.user-info-required' property is enabled. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.introspection-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.introspection-path">quarkus.oidc."tenant".introspection-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC RFC7662 introspection endpoint which can introspect both opaque and JWT tokens. This property must be set if OIDC discovery is disabled and 1) the opaque bearer access tokens have to be verified or 2) JWT tokens have to be verified while the cached JWK verification set with no matching JWK is being refreshed. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.jwks-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.jwks-path">quarkus.oidc."tenant".jwks-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC JWKS endpoint which returns a JSON Web Key Verification Set. This property should be set if OIDC discovery is disabled and the local JWT verification is required. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.end-session-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.end-session-path">quarkus.oidc."tenant".end-session-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the OIDC end_session_endpoint. This property must be set if OIDC discovery is disabled and RP Initiated Logout support for the 'web-app' applications is required. This property will be ignored if the discovery is enabled.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.connection-delay"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.connection-delay">quarkus.oidc."tenant".connection-delay</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The maximum amount of time the adapter will try connecting to the currently unavailable OIDC server for. For example, setting it to '20S' will let the adapter keep requesting the connection for up to 20 seconds.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html">Duration</a>
  <a href="#duration-note-anchor" title="More information about the Duration format"><span class="icon"><i class="fa fa-question-circle"></i></span></a></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.public-key"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.public-key">quarkus.oidc."tenant".public-key</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Public key for the local JWT token verification. OIDC server connection will not be created when this property is set.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.client-id"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.client-id">quarkus.oidc."tenant".client-id</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The client-id of the application. Each application has a client-id that is used to identify the application</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.roles.role-claim-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.roles.role-claim-path">quarkus.oidc."tenant".roles.role-claim-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Path to the claim containing an array of groups. It starts from the top level JWT JSON object and can contain multiple segments where each segment represents a JSON object name only, example: "realm/groups". Use double quotes with the namespace qualified claim names. This property can be used if a token has no 'groups' claim but has the groups set in a different claim.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.roles.role-claim-separator"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.roles.role-claim-separator">quarkus.oidc."tenant".roles.role-claim-separator</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Separator for splitting a string which may contain multiple group values. It will only be used if the "role-claim-path" property points to a custom claim whose value is a string. A single space will be used by default because the standard 'scope' claim may contain a space separated sequence.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.roles.source"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.roles.source">quarkus.oidc."tenant".roles.source</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Source of the principal roles.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>idtoken</code>, <code>accesstoken</code>, <code>userinfo</code></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.issuer"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.issuer">quarkus.oidc."tenant".token.issuer</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected issuer 'iss' claim value.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.audience"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.audience">quarkus.oidc."tenant".token.audience</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected audience 'aud' claim value which may be a string or an array of strings.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">list of string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.token-type"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.token-type">quarkus.oidc."tenant".token.token-type</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Expected token type</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.lifespan-grace"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.lifespan-grace">quarkus.oidc."tenant".token.lifespan-grace</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Life span grace period in seconds. When checking token expiry, current time is allowed to be later than token expiration time by at most the configured number of seconds. When checking token issuance, current time is allowed to be sooner than token issue time by at most the configured number of seconds.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.principal-claim"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.principal-claim">quarkus.oidc."tenant".token.principal-claim</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Name of the claim which contains a principal name. By default, the 'upn', 'preferred_username' and <code>sub</code> claims are checked.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.refresh-expired"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.refresh-expired">quarkus.oidc."tenant".token.refresh-expired</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Refresh expired ID tokens. If this property is enabled then a refresh token request is performed and, if successful, the local session is updated with the new set of tokens. Otherwise, the local session is invalidated as an indication that the session at the OpenID Provider no longer exists. This option is only valid when the application is of type <code>ApplicationType#WEB_APP</code>}.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.token.forced-jwk-refresh-interval"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.token.forced-jwk-refresh-interval">quarkus.oidc."tenant".token.forced-jwk-refresh-interval</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Forced JWK set refresh interval in minutes.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html">Duration</a>
  <a href="#duration-note-anchor" title="More information about the Duration format"><span class="icon"><i class="fa fa-question-circle"></i></span></a></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>10M</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.credentials.secret"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.credentials.secret">quarkus.oidc."tenant".credentials.secret</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Client secret which is used for a 'client_secret_basic' authentication method. Note that a 'client-secret.value' can be used instead but both properties are mutually exclusive.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.credentials.client-secret.value"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.credentials.client-secret.value">quarkus.oidc."tenant".credentials.client-secret.value</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The client secret</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.credentials.client-secret.method"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.credentials.client-secret.method">quarkus.oidc."tenant".credentials.client-secret.method</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Authentication method.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>basic</code>, <code>post</code></p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.credentials.jwt.secret"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.credentials.jwt.secret">quarkus.oidc."tenant".credentials.jwt.secret</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>client_secret_jwt: JWT which includes client id as one of its claims is signed by the client secret and is submitted as a 'client_assertion' form parameter, while 'client_assertion_type' parameter is set to "urn:ietf:params:oauth:client-assertion-type:jwt-bearer".</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.credentials.jwt.lifespan"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.credentials.jwt.lifespan">quarkus.oidc."tenant".credentials.jwt.lifespan</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>JWT life-span in seconds. It will be added to the time it was issued at to calculate the expiration time.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>10</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.proxy.host"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.proxy.host">quarkus.oidc."tenant".proxy.host</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The host (name or IP address) of the Proxy.
 Note: If OIDC adapter needs to use a Proxy to talk with OIDC server (Provider), then at least the "host" config item must be configured to enable the usage of a Proxy.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.proxy.port"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.proxy.port">quarkus.oidc."tenant".proxy.port</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The port number of the Proxy. Default value is 80.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">int</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>80</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.proxy.username"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.proxy.username">quarkus.oidc."tenant".proxy.username</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The username, if Proxy needs authentication.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.proxy.password"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.proxy.password">quarkus.oidc."tenant".proxy.password</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The password, if Proxy needs authentication.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.redirect-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.redirect-path">quarkus.oidc."tenant".authentication.redirect-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path for calculating a "redirect_uri" query parameter. It has to start from a forward slash and will be appended to the request URI&#8217;s host and port. For example, if the current request URI is 'https://localhost:8080/service' then a 'redirect_uri' parameter will be set to 'https://localhost:8080/' if this property is set to '/' and be the same as the request URI if this property has not been configured. Note the original request URI will be restored after the user has authenticated.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.restore-path-after-redirect"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.restore-path-after-redirect">quarkus.oidc."tenant".authentication.restore-path-after-redirect</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then the original request URI which was used before the authentication will be restored after the user has been redirected back to the application.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.remove-redirect-parameters"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.remove-redirect-parameters">quarkus.oidc."tenant".authentication.remove-redirect-parameters</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Remove the query parameters such as 'code' and 'state' set by the OIDC server on the redirect URI after the user has authenticated by redirecting a user to the same URI but without the query parameters.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.verify-access-token"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.verify-access-token">quarkus.oidc."tenant".authentication.verify-access-token</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Both ID and access tokens are verified as part of the authorization code flow and every time these tokens are retrieved from the user session. One should disable the access token verification if it is only meant to be propagated to the downstream services. Note the ID token will always be verified.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.force-redirect-https-scheme"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.force-redirect-https-scheme">quarkus.oidc."tenant".authentication.force-redirect-https-scheme</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Force 'https' as the 'redirect_uri' parameter scheme when running behind an SSL terminating reverse proxy. This property, if enabled, will also affect the logout <code>post_logout_redirect_uri</code> and the local redirect requests.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.scopes"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.scopes">quarkus.oidc."tenant".authentication.scopes</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>List of scopes</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">list of string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.extra-params-extra-params"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.extra-params-extra-params">quarkus.oidc."tenant".authentication.extra-params</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Additional properties which will be added as the query parameters to the authentication redirect URI.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>Map&lt;String,String&gt;</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">required <span class="icon"><i class="fa fa-exclamation-circle" title="Configuration property is required"></i></span></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.cookie-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.cookie-path">quarkus.oidc."tenant".authentication.cookie-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Cookie path parameter value which, if set, will be used for the session and state cookies. It may need to be set when the redirect path has a root different to that of the original request URL.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.user-info-required"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.user-info-required">quarkus.oidc."tenant".authentication.user-info-required</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then an OIDC UserInfo endpoint will be called</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>false</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.authentication.xhr-auto-redirect"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.authentication.xhr-auto-redirect">quarkus.oidc."tenant".authentication.xhr-auto-redirect</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>If this property is set to 'true' then a normal 302 redirect response will be returned if the request was initiated via XMLHttpRequest and the current user needs to be (re)authenticated which may not be desirable for Single Page Applications since XMLHttpRequest automatically following the redirect may not work given that OIDC authorization endpoints typically do not support CORS. If this property is set to <code>false</code> then a status code of '499' will be returned to allow the client to handle the redirect manually</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">boolean</p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>true</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.tls.verification"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.tls.verification">quarkus.oidc."tenant".tls.verification</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Certificate validation and hostname verification, which can be one of the following values from enum <code>Verification</code>. Default is required.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>required</code>, <code>none</code></p></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock"><code>required</code></p></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.logout.path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.logout.path">quarkus.oidc."tenant".logout.path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>The relative path of the logout endpoint at the application. If provided, the application is able to initiate the logout through this endpoint in conformance with the OpenID Connect RP-Initiated Logout specification.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
<tr>
<td class="tableblock halign-left valign-top"><div class="content"><div class="paragraph">
<p><a id="quarkus-oidc_quarkus.oidc.-tenant-.logout.post-logout-path"></a><code><a href="#quarkus-oidc_quarkus.oidc.-tenant-.logout.post-logout-path">quarkus.oidc."tenant".logout.post-logout-path</a></code></p>
</div>
<div class="openblock description">
<div class="content">
<div class="paragraph">
<p>Relative path of the application endpoint where the user should be redirected to after logging out from the OpenID Connect Provider. This endpoint URI must be properly registered at the OpenID Connect Provider as a valid redirect URI.</p>
</div>
</div>
</div></div></td>
<td class="tableblock halign-left valign-middle"><p class="tableblock">string</p></td>
<td class="tableblock halign-left valign-middle"></td>
</tr>
</tbody>
</table>
<div id="duration-note-anchor" class="admonitionblock note">
<table>
<tr>
<td class="icon">
<i class="fa icon-note" title="Note"></i>
</td>
<td class="content">
<div class="title">About the Duration format</div>
<div class="paragraph">
<p>The format for durations uses the standard <code>java.time.Duration</code> format.
You can learn more about it in the <a href="https://docs.oracle.com/javase/8/docs/api/java/time/Duration.html#parse-java.lang.CharSequence-">Duration#parse() javadoc</a>.</p>
</div>
<div class="paragraph">
<p>You can also provide duration values starting with a number.
In this case, if the value consists only of a number, the converter treats the value as seconds.
Otherwise, <code>PT</code> is implicitly prepended to the value to obtain a standard <code>java.time.Duration</code> format.</p>
</div>
</td>
</tr>
</table>
</div>
</div>
</div>
<div class="sect1">
<h2 id="references"><a class="anchor" href="#references"></a>References</h2>
<div class="sectionbody">
<div class="ulist">
<ul>
<li>
<p><a href="https://www.keycloak.org/documentation.html">Keycloak Documentation</a></p>
</li>
<li>
<p><a href="https://openid.net/connect/">OpenID Connect</a></p>
</li>
<li>
<p><a href="https://tools.ietf.org/html/rfc7519">JSON Web Token</a></p>
</li>
<li>
<p><a href="https://developers.google.com/identity/protocols/OpenIDConnect">Google OpenID Connect</a></p>
</li>
</ul>
</div>
</div>
</div>
    </div>
  </div>
</div>

  </div>

  <div class="content project-footer">
  <div class="footer-section">
    <div class="logo-wrapper">
      <a href="/"><img src="/assets/images/quarkus_logo_horizontal_rgb_reverse.svg" class="project-logo" title="Quarkus"></a>
    </div>
  </div>
  <div class="grid-wrapper">
    <p class="grid__item width-3-12">Quarkus is open. All dependencies of this project are available under the <a href='https://www.apache.org/licenses/LICENSE-2.0' target='_blank'>Apache Software License 2.0</a> or compatible license.<br /><br />This website was built with <a href='https://jekyllrb.com/' target='_blank'>Jekyll</a>, is hosted on <a href='https://pages.github.com/' target='_blank'>Github Pages</a> and is completely open source. If you want to make it better, <a href='https://github.com/quarkusio/quarkusio.github.io' target='_blank'>fork the website</a> and show us what you’ve got.</p>

    
      <div class="width-1-12 project-links">
        <span>Navigation</span>
        <ul class="footer-links width-1-12">
          
            <li><a href="/">Home</a></li>
          
            <li><a href="/guides">Guides</a></li>
          
            <li><a href="/community/#contributing">Contribute</a></li>
          
            <li><a href="/faq">FAQ</a></li>
          
            <li><a href="/get-started">Get Started</a></li>
          
        </ul>
      </div>
    
      <div class="width-1-12 project-links">
        <span>Contribute</span>
        <ul class="footer-links width-1-12">
          
            <li><a href="https://twitter.com/quarkusio">Follow us</a></li>
          
            <li><a href="https://github.com/quarkusio">GitHub</a></li>
          
            <li><a href="/security">Security&nbsp;policy</a></li>
          
        </ul>
      </div>
    
      <div class="width-1-12 project-links">
        <span>Get Help</span>
        <ul class="footer-links width-1-12">
          
            <li><a href="https://groups.google.com/forum/#!forum/quarkus-dev">Forums</a></li>
          
            <li><a href="https://quarkusio.zulipchat.com">Chatroom</a></li>
          
        </ul>
      </div>
    

    
      <div class="width-3-12 more-links">
        <span>Quarkus is made of community projects</span>
        <ul class="footer-links">
          
            <li><a href="https://vertx.io/" target="_blank">Eclipse Vert.x</a></li>
          
            <li><a href="https://microprofile.io" target="_blank">Eclipse MicroProfile</a></li>
          
            <li><a href="https://hibernate.org" target="_blank">Hibernate</a></li>
          
            <li><a href="https://netty.io" target="_blank">Netty</a></li>
          
            <li><a href="https://resteasy.github.io" target="_blank">RESTEasy</a></li>
          
            <li><a href="https://camel.apache.org" target="_blank">Apache Camel</a></li>
          
            <li><a href="https://code.quarkus.io/" target="_blank">And many more...</a></li>
          
        </ul>
      </div>
    
  </div>
</div>
  <div class="content redhat-footer">
  <div class="grid-wrapper">
    <span class="licence">
      <i class="fab fa-creative-commons"></i><i class="fab fa-creative-commons-by"></i> <a href="https://creativecommons.org/licenses/by/3.0/" target="_blank">CC by 3.0</a> | <a href="https://www.redhat.com/en/about/privacy-policy">Privacy Policy</a>
    </span>
    <span class="redhat">
      Sponsored by
    </span>
    <span class="redhat-logo">
      <a href="https://www.redhat.com/" target="_blank"><img src="/assets/images/redhat_reversed.svg"></a>
    </span>
  </div>
</div>


  <script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js" integrity="sha384-8gBf6Y4YYq7Jx97PIqmTwLPin4hxIzQw5aDmUg/DDhul9fFpbbLcLh3nTIIDJKhx" crossorigin="anonymous"></script>
  <script type="text/javascript" src="/assets/javascript/mobile-nav.js"></script>
  <script type="text/javascript" src="/assets/javascript/scroll-down.js"></script>
  <script src="/assets/javascript/satellite.js" type="text/javascript"></script>
  <script src="https://quarkus.io/guides/javascript/config.js" type="text/javascript"></script>
  <script src="/assets/javascript/search-filter.js" type="text/javascript"></script>
  <script src="/assets/javascript/back-to-top.js" type="text/javascript"></script>
</body>

</html>
